For those of you whose organization targets E.U. residents, the new,
draconian European Union directive on privacy – known as the e-Privacy
Directive — is going to be changing the way you do business there.
In January 2012, the European Commission proposed a sweeping reform of the E.U.’s 1995 data protection rules. The 1995 rules had been interpreted differently by the 27 member countries, which led to inconsistent enforcement. The new proposal suggests a single law that will apply to all members of the E.U. The time for comment by non-European parties has passed, and the proposal is now solely in the hands of the Europeans. The reform proposal will be debated by the E.U. Council and the European Parliament before becoming a final law in 2015 (it became effective in the U.K. on May 26, 2012).
U.S. companies (and all companies targeting E.U. customers, for that matter) can only hope that the “sky is falling” provisions of the new directive will be watered down before it takes effect on continental Europe. Many smaller E.U. countries oppose the proposed legislation; whether they can exercise sway over the final version remains to be seen.
Here are the top 9 things you should know about the E.U. e-Privacy Directive (with a little editorial thrown in, as expressed by some top U.S. compliance professionals who spoke recently at PLI’s Privacy and Data Security Law Institute 2012:
1. The E.U. privacy authorities must be notified of any breach – regardless of how great or small, regardless of the level of harm – within 24 hours. No exceptions or “carve-outs.” This raises concern, among other things, about false alarms and creating needless worry. And what if the breach occurs on a Friday or Saturday?
2. All organizations with 250+ employees must appoint at DPO – a Data Protection Officer. There are no guidelines as to what constitutes an employee (does it include agents or consultants?) or what the qualifications of the DPO should be.
3. The DPO will be personally liable for damages caused by data security breaches. Who’s going to take this job??
4. Any company targeting E.U. residents must perform a privacy impact assessment for every “system.” What’s a system? Does it include software? Is it a “process”?
5. All consumers have “the right to be forgotten.” This is very controversial. Under this rule, which is aimed at social networks but applies to all companies, any consumer can ask for all of his or her information to be deleted from an organization’s records. What if, say, an employee is fired for wrongdoing? He can request that his former employer delete all information about him from their records. Yes, you read this right: Companies must delete personal info from their business records if requested by the subject, even if the subject is a former employee. For Americans, this is crazy. Europeans think this is a fundamental right; Americans, well, don’t. As one conference panelist put it, this is a huge disconnect between Americans and Europeans on the issue of privacy.
6. And get this: the company must also inform anyone else (i.e., other companies) who may have the requester’s personal info that they also must delete all info on the person. No exceptions.
7. Controllers (those who actually control the information) and processors (those who simply process information at the instruction of the controllers) have joint and several liability. Big issue for service providers, who, it seems, will be liable for security breaches they have no control over.
8. Websites must obtain informed consent from users before storing cookies on users’ computers. As one UK observer noted, “if a piece of technology tracks consumers, you need their consent to do so.” There are two exceptions,[1] but note: neither third-party cookies used for behavioral advertising nor third-party tracking cookies used by social networks to collect data for behavioral advertising or market research are exempted from consent.
9. The fine for violating any part of the E.U. Directive: 2% of global revenue. I repeat: 2% of global revenue. That’s down from 5%, as it was originally drafted.
You can understand why some American companies who operate in Europe are shaking in their boots. Let’s hope those Europeans come to their senses.
[1] Two exceptions: (a) when the cookie is used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; and (b) when the cookie is strictly necessary for the provider of a service to provide the service requested by the user.
Mandy Roth is an experienced attorney in the Philadelphia area with a background in securities fraud litigation. http://www.linkedin.com/in/mandyroth.
In January 2012, the European Commission proposed a sweeping reform of the E.U.’s 1995 data protection rules. The 1995 rules had been interpreted differently by the 27 member countries, which led to inconsistent enforcement. The new proposal suggests a single law that will apply to all members of the E.U. The time for comment by non-European parties has passed, and the proposal is now solely in the hands of the Europeans. The reform proposal will be debated by the E.U. Council and the European Parliament before becoming a final law in 2015 (it became effective in the U.K. on May 26, 2012).
U.S. companies (and all companies targeting E.U. customers, for that matter) can only hope that the “sky is falling” provisions of the new directive will be watered down before it takes effect on continental Europe. Many smaller E.U. countries oppose the proposed legislation; whether they can exercise sway over the final version remains to be seen.
Here are the top 9 things you should know about the E.U. e-Privacy Directive (with a little editorial thrown in, as expressed by some top U.S. compliance professionals who spoke recently at PLI’s Privacy and Data Security Law Institute 2012:
1. The E.U. privacy authorities must be notified of any breach – regardless of how great or small, regardless of the level of harm – within 24 hours. No exceptions or “carve-outs.” This raises concern, among other things, about false alarms and creating needless worry. And what if the breach occurs on a Friday or Saturday?
2. All organizations with 250+ employees must appoint at DPO – a Data Protection Officer. There are no guidelines as to what constitutes an employee (does it include agents or consultants?) or what the qualifications of the DPO should be.
3. The DPO will be personally liable for damages caused by data security breaches. Who’s going to take this job??
4. Any company targeting E.U. residents must perform a privacy impact assessment for every “system.” What’s a system? Does it include software? Is it a “process”?
5. All consumers have “the right to be forgotten.” This is very controversial. Under this rule, which is aimed at social networks but applies to all companies, any consumer can ask for all of his or her information to be deleted from an organization’s records. What if, say, an employee is fired for wrongdoing? He can request that his former employer delete all information about him from their records. Yes, you read this right: Companies must delete personal info from their business records if requested by the subject, even if the subject is a former employee. For Americans, this is crazy. Europeans think this is a fundamental right; Americans, well, don’t. As one conference panelist put it, this is a huge disconnect between Americans and Europeans on the issue of privacy.
6. And get this: the company must also inform anyone else (i.e., other companies) who may have the requester’s personal info that they also must delete all info on the person. No exceptions.
7. Controllers (those who actually control the information) and processors (those who simply process information at the instruction of the controllers) have joint and several liability. Big issue for service providers, who, it seems, will be liable for security breaches they have no control over.
8. Websites must obtain informed consent from users before storing cookies on users’ computers. As one UK observer noted, “if a piece of technology tracks consumers, you need their consent to do so.” There are two exceptions,[1] but note: neither third-party cookies used for behavioral advertising nor third-party tracking cookies used by social networks to collect data for behavioral advertising or market research are exempted from consent.
9. The fine for violating any part of the E.U. Directive: 2% of global revenue. I repeat: 2% of global revenue. That’s down from 5%, as it was originally drafted.
You can understand why some American companies who operate in Europe are shaking in their boots. Let’s hope those Europeans come to their senses.
[1] Two exceptions: (a) when the cookie is used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; and (b) when the cookie is strictly necessary for the provider of a service to provide the service requested by the user.
Mandy Roth is an experienced attorney in the Philadelphia area with a background in securities fraud litigation. http://www.linkedin.com/in/mandyroth.